9a7d0127083689bce4f8b329ea9cb963662efa977b950147db729b85d06f6e69

Analysis

max time kernel
135s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Homebuh.exe
Size

20KB
MD5

2fdbf920d2b84a3dc5ccc6ed0380af72
SHA1

ee66099f568641c09f5b915adf136295245b8b4e
SHA256

51d78c14e079e6c7dd5c49d0fd39f07d9f0428c0413a7ed4815eba437a83ef92
SHA512

3bd2f0c7ed271db478b4e4017b194b4996f7450a4cd1dcc84972d83939fb9d6d306e2b164c418f553220c4fe00e3be49e8596ef31600691a89166736908ed7fd
SSDEEP

96:i9EOLX0pOaBf0JUPbpqNtZmE9QAOZMwayWa6o4hE6zNt:96XuOaBsmzpqNOE9Q1Mwamb4ht

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	3756	dw20.exe
Token: SeBackupPrivilege	3756	dw20.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 3756	556	Homebuh.exe	89
PID 556 wrote to memory of 3756	556	Homebuh.exe	89

C:\Users\Admin\AppData\Local\Temp\Homebuh.exe
"C:\Users\Admin\AppData\Local\Temp\Homebuh.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 760
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/556-0-0x00007FF81C135000-0x00007FF81C136000-memory.dmp

Filesize
4KB

Download
memory/556-1-0x00007FF81BE80000-0x00007FF81C821000-memory.dmp

Filesize
9.6MB

Download
memory/556-2-0x00007FF81BE80000-0x00007FF81C821000-memory.dmp

Filesize
9.6MB

Download
memory/556-9-0x00007FF81BE80000-0x00007FF81C821000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads